Tor  0.4.7.0-alpha-dev
dns.c
Go to the documentation of this file.
1 /* Copyright (c) 2003-2004, Roger Dingledine.
2  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3  * Copyright (c) 2007-2021, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
5 
6 /**
7  * \file dns.c
8  * \brief Implements a local cache for DNS results for Tor servers.
9  * This is implemented as a wrapper around Adam Langley's eventdns.c code.
10  * (We can't just use gethostbyname() and friends because we really need to
11  * be nonblocking.)
12  *
13  * There are three main cases when a Tor relay uses dns.c to launch a DNS
14  * request:
15  * <ol>
16  * <li>To check whether the DNS server is working more or less correctly.
17  * This happens via dns_launch_correctness_checks(). The answer is
18  * reported in the return value from later calls to
19  * dns_seems_to_be_broken().
20  * <li>When a client has asked the relay, in a RELAY_BEGIN cell, to connect
21  * to a given server by hostname. This happens via dns_resolve().
22  * <li>When a client has asked the relay, in a RELAY_RESOLVE cell, to look
23  * up a given server's IP address(es) by hostname. This also happens via
24  * dns_resolve().
25  * </ol>
26  *
27  * Each of these gets handled a little differently.
28  *
29  * To check for correctness, we look up some hostname we expect to exist and
30  * have real entries, some hostnames which we expect to definitely not exist,
31  * and some hostnames that we expect to probably not exist. If too many of
32  * the hostnames that shouldn't exist do exist, that's a DNS hijacking
33  * attempt. If too many of the hostnames that should exist have the same
34  * addresses as the ones that shouldn't exist, that's a very bad DNS hijacking
35  * attempt, or a very naughty captive portal. And if the hostnames that
36  * should exist simply don't exist, we probably have a broken nameserver.
37  *
38  * To handle client requests, we first check our cache for answers. If there
39  * isn't something up-to-date, we've got to launch A or AAAA requests as
40  * appropriate. How we handle responses to those in particular is a bit
41  * complex; see dns_lookup() and set_exitconn_info_from_resolve().
42  *
43  * When a lookup is finally complete, the inform_pending_connections()
44  * function will tell all of the streams that have been waiting for the
45  * resolve, by calling connection_exit_connect() if the client sent a
46  * RELAY_BEGIN cell, and by calling send_resolved_cell() or
47  * send_hostname_cell() if the client sent a RELAY_RESOLVE cell.
48  **/
49 
50 #define DNS_PRIVATE
51 
52 #include "core/or/or.h"
53 #include "app/config/config.h"
55 #include "core/mainloop/mainloop.h"
57 #include "core/or/circuitlist.h"
58 #include "core/or/circuituse.h"
60 #include "core/or/policies.h"
61 #include "core/or/relay.h"
63 #include "feature/relay/dns.h"
64 #include "feature/relay/router.h"
66 #include "feature/stats/rephist.h"
69 #include "lib/sandbox/sandbox.h"
70 
72 #include "core/or/or_circuit_st.h"
73 
74 #include "ht.h"
75 
76 #ifdef HAVE_SYS_STAT_H
77 #include <sys/stat.h>
78 #endif
79 
80 #include <event2/event.h>
81 #include <event2/dns.h>
82 
83 /** How long will we wait for an answer from the resolver before we decide
84  * that the resolver is wedged? */
85 #define RESOLVE_MAX_TIMEOUT 300
86 
87 /** Our evdns_base; this structure handles all our name lookups. */
88 static struct evdns_base *the_evdns_base = NULL;
89 
90 /** Have we currently configured nameservers with eventdns? */
91 static int nameservers_configured = 0;
92 /** Did our most recent attempt to configure nameservers with eventdns fail? */
93 static int nameserver_config_failed = 0;
94 /** What was the resolv_conf fname we last used when configuring the
95  * nameservers? Used to check whether we need to reconfigure. */
96 static char *resolv_conf_fname = NULL;
97 /** What was the mtime on the resolv.conf file we last used when configuring
98  * the nameservers? Used to check whether we need to reconfigure. */
99 static time_t resolv_conf_mtime = 0;
100 
101 static void purge_expired_resolves(time_t now);
102 static void dns_found_answer(const char *address, uint8_t query_type,
103  int dns_answer,
104  const tor_addr_t *addr,
105  const char *hostname,
106  uint32_t ttl);
107 static void add_wildcarded_test_address(const char *address);
108 static int configure_nameservers(int force);
109 static int answer_is_wildcarded(const char *ip);
110 static int evdns_err_is_transient(int err);
111 static void inform_pending_connections(cached_resolve_t *resolve);
112 static void make_pending_resolve_cached(cached_resolve_t *cached);
113 
114 #ifdef DEBUG_DNS_CACHE
115 static void assert_cache_ok_(void);
116 #define assert_cache_ok() assert_cache_ok_()
117 #else
118 #define assert_cache_ok() STMT_NIL
119 #endif /* defined(DEBUG_DNS_CACHE) */
120 static void assert_resolve_ok(cached_resolve_t *resolve);
121 
122 /** Hash table of cached_resolve objects. */
123 static HT_HEAD(cache_map, cached_resolve_t) cache_root;
124 
125 /** Global: how many IPv6 requests have we made in all? */
126 static uint64_t n_ipv6_requests_made = 0;
127 /** Global: how many IPv6 requests have timed out? */
128 static uint64_t n_ipv6_timeouts = 0;
129 /** Global: Do we think that IPv6 DNS is broken? */
130 static int dns_is_broken_for_ipv6 = 0;
131 
132 /** Function to compare hashed resolves on their addresses; used to
133  * implement hash tables. */
134 static inline int
135 cached_resolves_eq(cached_resolve_t *a, cached_resolve_t *b)
136 {
137  /* make this smarter one day? */
138  assert_resolve_ok(a); // Not b; b may be just a search.
139  return !strncmp(a->address, b->address, MAX_ADDRESSLEN);
140 }
141 
142 /** Hash function for cached_resolve objects */
143 static inline unsigned int
145 {
146  return (unsigned) siphash24g((const uint8_t*)a->address, strlen(a->address));
147 }
148 
150  cached_resolves_eq);
151 HT_GENERATE2(cache_map, cached_resolve_t, node, cached_resolve_hash,
152  cached_resolves_eq, 0.6, tor_reallocarray_, tor_free_);
153 
154 /** Initialize the DNS cache. */
155 static void
157 {
158  HT_INIT(cache_map, &cache_root);
159 }
160 
161 /** Helper: called by eventdns when eventdns wants to log something. */
162 static void
163 evdns_log_cb(int warn, const char *msg)
164 {
165  const char *cp;
166  static int all_down = 0;
167  int severity = warn ? LOG_WARN : LOG_INFO;
168  if (!strcmpstart(msg, "Resolve requested for") &&
169  get_options()->SafeLogging) {
170  log_info(LD_EXIT, "eventdns: Resolve requested.");
171  return;
172  } else if (!strcmpstart(msg, "Search: ")) {
173  return;
174  }
175  if (!strcmpstart(msg, "Nameserver ") && (cp=strstr(msg, " has failed: "))) {
176  char *ns = tor_strndup(msg+11, cp-(msg+11));
177  const char *colon = strchr(cp, ':');
178  tor_assert(colon);
179  const char *err = colon+2;
180  /* Don't warn about a single failed nameserver; we'll warn with 'all
181  * nameservers have failed' if we're completely out of nameservers;
182  * otherwise, the situation is tolerable. */
183  severity = LOG_INFO;
185  "NAMESERVER_STATUS NS=%s STATUS=DOWN ERR=%s",
186  ns, escaped(err));
187  tor_free(ns);
188  } else if (!strcmpstart(msg, "Nameserver ") &&
189  (cp=strstr(msg, " is back up"))) {
190  char *ns = tor_strndup(msg+11, cp-(msg+11));
191  severity = (all_down && warn) ? LOG_NOTICE : LOG_INFO;
192  all_down = 0;
194  "NAMESERVER_STATUS NS=%s STATUS=UP", ns);
195  tor_free(ns);
196  } else if (!strcmp(msg, "All nameservers have failed")) {
197  control_event_server_status(LOG_WARN, "NAMESERVER_ALL_DOWN");
198  all_down = 1;
199  } else if (!strcmpstart(msg, "Address mismatch on received DNS")) {
200  static ratelim_t mismatch_limit = RATELIM_INIT(3600);
201  const char *src = strstr(msg, " Apparent source");
202  if (!src || get_options()->SafeLogging) {
203  src = "";
204  }
205  log_fn_ratelim(&mismatch_limit, severity, LD_EXIT,
206  "eventdns: Received a DNS packet from "
207  "an IP address to which we did not send a request. This "
208  "could be a DNS spoofing attempt, or some kind of "
209  "misconfiguration.%s", src);
210  return;
211  }
212  tor_log(severity, LD_EXIT, "eventdns: %s", msg);
213 }
214 
215 /** Initialize the DNS subsystem; called by the OR process. */
216 int
217 dns_init(void)
218 {
219  init_cache_map();
220  if (server_mode(get_options())) {
221  int r = configure_nameservers(1);
222  return r;
223  }
224  return 0;
225 }
226 
227 /** Called when DNS-related options change (or may have changed). Returns -1
228  * on failure, 0 on success. */
229 int
231 {
232  const or_options_t *options = get_options();
233  if (! server_mode(options)) {
234 
235  if (!the_evdns_base) {
236  if (!(the_evdns_base = evdns_base_new(tor_libevent_get_base(), 0))) {
237  log_err(LD_BUG, "Couldn't create an evdns_base");
238  return -1;
239  }
240  }
241 
242  evdns_base_clear_nameservers_and_suspend(the_evdns_base);
243  evdns_base_search_clear(the_evdns_base);
246  resolv_conf_mtime = 0;
247  } else {
248  if (configure_nameservers(0) < 0) {
249  return -1;
250  }
251  }
252  return 0;
253 }
254 
255 /** Return true iff the most recent attempt to initialize the DNS subsystem
256  * failed. */
257 int
259 {
261 }
262 
263 /** Helper: free storage held by an entry in the DNS cache. */
264 static void
266 {
267  if (!r)
268  return;
269  while (r->pending_connections) {
271  r->pending_connections = victim->next;
272  tor_free(victim);
273  }
274  if (r->res_status_hostname == RES_STATUS_DONE_OK)
275  tor_free(r->result_ptr.hostname);
276  r->magic = 0xFF00FF00;
277  tor_free(r);
278 }
279 
280 /** Compare two cached_resolve_t pointers by expiry time, and return
281  * less-than-zero, zero, or greater-than-zero as appropriate. Used for
282  * the priority queue implementation. */
283 static int
284 compare_cached_resolves_by_expiry_(const void *_a, const void *_b)
285 {
286  const cached_resolve_t *a = _a, *b = _b;
287  if (a->expire < b->expire)
288  return -1;
289  else if (a->expire == b->expire)
290  return 0;
291  else
292  return 1;
293 }
294 
295 /** Priority queue of cached_resolve_t objects to let us know when they
296  * will expire. */
298 
299 static void
300 cached_resolve_add_answer(cached_resolve_t *resolve,
301  int query_type,
302  int dns_result,
303  const tor_addr_t *answer_addr,
304  const char *answer_hostname,
305  uint32_t ttl)
306 {
307  if (query_type == DNS_PTR) {
308  if (resolve->res_status_hostname != RES_STATUS_INFLIGHT)
309  return;
310 
311  if (dns_result == DNS_ERR_NONE && answer_hostname) {
312  resolve->result_ptr.hostname = tor_strdup(answer_hostname);
313  resolve->res_status_hostname = RES_STATUS_DONE_OK;
314  } else {
315  resolve->result_ptr.err_hostname = dns_result;
316  resolve->res_status_hostname = RES_STATUS_DONE_ERR;
317  }
318  resolve->ttl_hostname = ttl;
319  } else if (query_type == DNS_IPv4_A) {
320  if (resolve->res_status_ipv4 != RES_STATUS_INFLIGHT)
321  return;
322 
323  if (dns_result == DNS_ERR_NONE && answer_addr &&
324  tor_addr_family(answer_addr) == AF_INET) {
325  resolve->result_ipv4.addr_ipv4 = tor_addr_to_ipv4h(answer_addr);
326  resolve->res_status_ipv4 = RES_STATUS_DONE_OK;
327  } else {
328  resolve->result_ipv4.err_ipv4 = dns_result;
329  resolve->res_status_ipv4 = RES_STATUS_DONE_ERR;
330  }
331  resolve->ttl_ipv4 = ttl;
332  } else if (query_type == DNS_IPv6_AAAA) {
333  if (resolve->res_status_ipv6 != RES_STATUS_INFLIGHT)
334  return;
335 
336  if (dns_result == DNS_ERR_NONE && answer_addr &&
337  tor_addr_family(answer_addr) == AF_INET6) {
338  memcpy(&resolve->result_ipv6.addr_ipv6,
339  tor_addr_to_in6(answer_addr),
340  sizeof(struct in6_addr));
341  resolve->res_status_ipv6 = RES_STATUS_DONE_OK;
342  } else {
343  resolve->result_ipv6.err_ipv6 = dns_result;
344  resolve->res_status_ipv6 = RES_STATUS_DONE_ERR;
345  }
346  resolve->ttl_ipv6 = ttl;
347  }
348 }
349 
350 /** Return true iff there are no in-flight requests for <b>resolve</b>. */
351 static int
353 {
354  return (resolve->res_status_ipv4 != RES_STATUS_INFLIGHT &&
355  resolve->res_status_ipv6 != RES_STATUS_INFLIGHT &&
356  resolve->res_status_hostname != RES_STATUS_INFLIGHT);
357 }
358 
359 /** Set an expiry time for a cached_resolve_t, and add it to the expiry
360  * priority queue */
361 static void
362 set_expiry(cached_resolve_t *resolve, time_t expires)
363 {
364  tor_assert(resolve && resolve->expire == 0);
367  resolve->expire = expires;
370  offsetof(cached_resolve_t, minheap_idx),
371  resolve);
372 }
373 
374 /** Free all storage held in the DNS cache and related structures. */
375 void
377 {
378  cached_resolve_t **ptr, **next, *item;
379  assert_cache_ok();
380  if (cached_resolve_pqueue) {
382  {
383  if (res->state == CACHE_STATE_DONE)
385  });
386  }
387  for (ptr = HT_START(cache_map, &cache_root); ptr != NULL; ptr = next) {
388  item = *ptr;
389  next = HT_NEXT_RMV(cache_map, &cache_root, ptr);
390  free_cached_resolve_(item);
391  }
392  HT_CLEAR(cache_map, &cache_root);
393  smartlist_free(cached_resolve_pqueue);
394  cached_resolve_pqueue = NULL;
396 }
397 
398 /** Remove every cached_resolve whose <b>expire</b> time is before or
399  * equal to <b>now</b> from the cache. */
400 static void
402 {
403  cached_resolve_t *resolve, *removed;
404  pending_connection_t *pend;
405  edge_connection_t *pendconn;
406 
407  assert_cache_ok();
409  return;
410 
411  while (smartlist_len(cached_resolve_pqueue)) {
412  resolve = smartlist_get(cached_resolve_pqueue, 0);
413  if (resolve->expire > now)
414  break;
417  offsetof(cached_resolve_t, minheap_idx));
418 
419  if (resolve->state == CACHE_STATE_PENDING) {
420  log_debug(LD_EXIT,
421  "Expiring a dns resolve %s that's still pending. Forgot to "
422  "cull it? DNS resolve didn't tell us about the timeout?",
423  escaped_safe_str(resolve->address));
424  } else if (resolve->state == CACHE_STATE_CACHED) {
425  log_debug(LD_EXIT,
426  "Forgetting old cached resolve (address %s, expires %lu)",
427  escaped_safe_str(resolve->address),
428  (unsigned long)resolve->expire);
429  tor_assert(!resolve->pending_connections);
430  } else {
431  tor_assert(resolve->state == CACHE_STATE_DONE);
432  tor_assert(!resolve->pending_connections);
433  }
434 
435  if (resolve->pending_connections) {
436  log_debug(LD_EXIT,
437  "Closing pending connections on timed-out DNS resolve!");
438  while (resolve->pending_connections) {
439  pend = resolve->pending_connections;
440  resolve->pending_connections = pend->next;
441  /* Connections should only be pending if they have no socket. */
442  tor_assert(!SOCKET_OK(pend->conn->base_.s));
443  pendconn = pend->conn;
444  /* Prevent double-remove */
445  pendconn->base_.state = EXIT_CONN_STATE_RESOLVEFAILED;
446  if (!pendconn->base_.marked_for_close) {
447  connection_edge_end(pendconn, END_STREAM_REASON_TIMEOUT);
448  circuit_detach_stream(circuit_get_by_edge_conn(pendconn), pendconn);
449  connection_free_(TO_CONN(pendconn));
450  }
451  tor_free(pend);
452  }
453  }
454 
455  if (resolve->state == CACHE_STATE_CACHED ||
456  resolve->state == CACHE_STATE_PENDING) {
457  removed = HT_REMOVE(cache_map, &cache_root, resolve);
458  if (removed != resolve) {
459  log_err(LD_BUG, "The expired resolve we purged didn't match any in"
460  " the cache. Tried to purge %s (%p); instead got %s (%p).",
461  resolve->address, (void*)resolve,
462  removed ? removed->address : "NULL", (void*)removed);
463  }
464  tor_assert(removed == resolve);
465  } else {
466  /* This should be in state DONE. Make sure it's not in the cache. */
467  cached_resolve_t *tmp = HT_FIND(cache_map, &cache_root, resolve);
468  tor_assert(tmp != resolve);
469  }
470  if (resolve->res_status_hostname == RES_STATUS_DONE_OK)
471  tor_free(resolve->result_ptr.hostname);
472  resolve->magic = 0xF0BBF0BB;
473  tor_free(resolve);
474  }
475 
476  assert_cache_ok();
477 }
478 
479 /* argument for send_resolved_cell only, meaning "let the answer type be ipv4
480  * or ipv6 depending on the connection's address". */
481 #define RESOLVED_TYPE_AUTO 0xff
482 
483 /** Send a response to the RESOLVE request of a connection.
484  * <b>answer_type</b> must be one of
485  * RESOLVED_TYPE_(AUTO|ERROR|ERROR_TRANSIENT|).
486  *
487  * If <b>circ</b> is provided, and we have a cached answer, send the
488  * answer back along circ; otherwise, send the answer back along
489  * <b>conn</b>'s attached circuit.
490  */
491 MOCK_IMPL(STATIC void,
492 send_resolved_cell,(edge_connection_t *conn, uint8_t answer_type,
493  const cached_resolve_t *resolved))
494 {
495  char buf[RELAY_PAYLOAD_SIZE], *cp = buf;
496  size_t buflen = 0;
497  uint32_t ttl;
498 
499  buf[0] = answer_type;
500  ttl = clip_dns_ttl(conn->address_ttl);
501 
502  switch (answer_type)
503  {
504  case RESOLVED_TYPE_AUTO:
505  if (resolved && resolved->res_status_ipv4 == RES_STATUS_DONE_OK) {
506  cp[0] = RESOLVED_TYPE_IPV4;
507  cp[1] = 4;
508  set_uint32(cp+2, htonl(resolved->result_ipv4.addr_ipv4));
509  set_uint32(cp+6, htonl(ttl));
510  cp += 10;
511  }
512  if (resolved && resolved->res_status_ipv6 == RES_STATUS_DONE_OK) {
513  const uint8_t *bytes = resolved->result_ipv6.addr_ipv6.s6_addr;
514  cp[0] = RESOLVED_TYPE_IPV6;
515  cp[1] = 16;
516  memcpy(cp+2, bytes, 16);
517  set_uint32(cp+18, htonl(ttl));
518  cp += 22;
519  }
520  if (cp != buf) {
521  buflen = cp - buf;
522  break;
523  } else {
524  answer_type = RESOLVED_TYPE_ERROR;
525  /* We let this fall through and treat it as an error. */
526  }
527  FALLTHROUGH;
528  case RESOLVED_TYPE_ERROR_TRANSIENT:
529  case RESOLVED_TYPE_ERROR:
530  {
531  const char *errmsg = "Error resolving hostname";
532  size_t msglen = strlen(errmsg);
533 
534  buf[0] = answer_type;
535  buf[1] = msglen;
536  strlcpy(buf+2, errmsg, sizeof(buf)-2);
537  set_uint32(buf+2+msglen, htonl(ttl));
538  buflen = 6+msglen;
539  break;
540  }
541  default:
542  tor_assert(0);
543  return;
544  }
545  // log_notice(LD_EXIT, "Sending a regular RESOLVED reply: ");
546 
547  connection_edge_send_command(conn, RELAY_COMMAND_RESOLVED, buf, buflen);
548 }
549 
550 /** Send a response to the RESOLVE request of a connection for an in-addr.arpa
551  * address on connection <b>conn</b> which yielded the result <b>hostname</b>.
552  * The answer type will be RESOLVED_HOSTNAME.
553  *
554  * If <b>circ</b> is provided, and we have a cached answer, send the
555  * answer back along circ; otherwise, send the answer back along
556  * <b>conn</b>'s attached circuit.
557  */
558 MOCK_IMPL(STATIC void,
560  const char *hostname))
561 {
562  char buf[RELAY_PAYLOAD_SIZE];
563  size_t buflen;
564  uint32_t ttl;
565 
566  if (BUG(!hostname))
567  return;
568 
569  size_t namelen = strlen(hostname);
570 
571  tor_assert(namelen < 256);
572  ttl = clip_dns_ttl(conn->address_ttl);
573 
574  buf[0] = RESOLVED_TYPE_HOSTNAME;
575  buf[1] = (uint8_t)namelen;
576  memcpy(buf+2, hostname, namelen);
577  set_uint32(buf+2+namelen, htonl(ttl));
578  buflen = 2+namelen+4;
579 
580  // log_notice(LD_EXIT, "Sending a reply RESOLVED reply: %s", hostname);
581  connection_edge_send_command(conn, RELAY_COMMAND_RESOLVED, buf, buflen);
582  // log_notice(LD_EXIT, "Sent");
583 }
584 
585 /** See if we have a cache entry for <b>exitconn</b>->address. If so,
586  * if resolve valid, put it into <b>exitconn</b>->addr and return 1.
587  * If resolve failed, free exitconn and return -1.
588  *
589  * (For EXIT_PURPOSE_RESOLVE connections, send back a RESOLVED error cell
590  * on returning -1. For EXIT_PURPOSE_CONNECT connections, there's no
591  * need to send back an END cell, since connection_exit_begin_conn will
592  * do that for us.)
593  *
594  * If we have a cached answer, send the answer back along <b>exitconn</b>'s
595  * circuit.
596  *
597  * Else, if seen before and pending, add conn to the pending list,
598  * and return 0.
599  *
600  * Else, if not seen before, add conn to pending list, hand to
601  * dns farm, and return 0.
602  *
603  * Exitconn's on_circuit field must be set, but exitconn should not
604  * yet be linked onto the n_streams/resolving_streams list of that circuit.
605  * On success, link the connection to n_streams if it's an exit connection.
606  * On "pending", link the connection to resolving streams. Otherwise,
607  * clear its on_circuit field.
608  */
609 int
611 {
612  or_circuit_t *oncirc = TO_OR_CIRCUIT(exitconn->on_circuit);
613  int is_resolve, r;
614  int made_connection_pending = 0;
615  char *hostname = NULL;
616  cached_resolve_t *resolve = NULL;
617  is_resolve = exitconn->base_.purpose == EXIT_PURPOSE_RESOLVE;
618 
619  r = dns_resolve_impl(exitconn, is_resolve, oncirc, &hostname,
620  &made_connection_pending, &resolve);
621 
622  switch (r) {
623  case 1:
624  /* We got an answer without a lookup -- either the answer was
625  * cached, or it was obvious (like an IP address). */
626  if (is_resolve) {
627  /* Send the answer back right now, and detach. */
628  if (hostname)
629  send_resolved_hostname_cell(exitconn, hostname);
630  else
631  send_resolved_cell(exitconn, RESOLVED_TYPE_AUTO, resolve);
632  exitconn->on_circuit = NULL;
633  } else {
634  /* Add to the n_streams list; the calling function will send back a
635  * connected cell. */
636  exitconn->next_stream = oncirc->n_streams;
637  oncirc->n_streams = exitconn;
638  }
639  break;
640  case 0:
641  /* The request is pending: add the connection into the linked list of
642  * resolving_streams on this circuit. */
643  exitconn->base_.state = EXIT_CONN_STATE_RESOLVING;
644  exitconn->next_stream = oncirc->resolving_streams;
645  oncirc->resolving_streams = exitconn;
646  break;
647  case -2:
648  case -1:
649  /* The request failed before it could start: cancel this connection,
650  * and stop everybody waiting for the same connection. */
651  if (is_resolve) {
652  send_resolved_cell(exitconn,
653  (r == -1) ? RESOLVED_TYPE_ERROR : RESOLVED_TYPE_ERROR_TRANSIENT,
654  NULL);
655  }
656 
657  exitconn->on_circuit = NULL;
658 
659  dns_cancel_pending_resolve(exitconn->base_.address);
660 
661  if (!made_connection_pending && !exitconn->base_.marked_for_close) {
662  /* If we made the connection pending, then we freed it already in
663  * dns_cancel_pending_resolve(). If we marked it for close, it'll
664  * get freed from the main loop. Otherwise, can free it now. */
665  connection_free_(TO_CONN(exitconn));
666  }
667  break;
668  default:
669  tor_assert(0);
670  }
671 
672  tor_free(hostname);
673  return r;
674 }
675 
676 /** Helper function for dns_resolve: same functionality, but does not handle:
677  * - marking connections on error and clearing their on_circuit
678  * - linking connections to n_streams/resolving_streams,
679  * - sending resolved cells if we have an answer/error right away,
680  *
681  * Return -2 on a transient error. If it's a reverse resolve and it's
682  * successful, sets *<b>hostname_out</b> to a newly allocated string
683  * holding the cached reverse DNS value.
684  *
685  * Set *<b>made_connection_pending_out</b> to true if we have placed
686  * <b>exitconn</b> on the list of pending connections for some resolve; set it
687  * to false otherwise.
688  *
689  * Set *<b>resolve_out</b> to a cached resolve, if we found one.
690  */
691 MOCK_IMPL(STATIC int,
692 dns_resolve_impl,(edge_connection_t *exitconn, int is_resolve,
693  or_circuit_t *oncirc, char **hostname_out,
694  int *made_connection_pending_out,
695  cached_resolve_t **resolve_out))
696 {
697  cached_resolve_t *resolve;
698  cached_resolve_t search;
699  pending_connection_t *pending_connection;
700  int is_reverse = 0;
701  tor_addr_t addr;
702  time_t now = time(NULL);
703  int r;
704  assert_connection_ok(TO_CONN(exitconn), 0);
705  tor_assert(!SOCKET_OK(exitconn->base_.s));
706  assert_cache_ok();
707  tor_assert(oncirc);
708  *made_connection_pending_out = 0;
709 
710  /* first check if exitconn->base_.address is an IP. If so, we already
711  * know the answer. */
712  if (tor_addr_parse(&addr, exitconn->base_.address) >= 0) {
713  if (tor_addr_family(&addr) == AF_INET ||
714  tor_addr_family(&addr) == AF_INET6) {
715  tor_addr_copy(&exitconn->base_.addr, &addr);
716  exitconn->address_ttl = DEFAULT_DNS_TTL;
717  return 1;
718  } else {
719  /* XXXX unspec? Bogus? */
720  return -1;
721  }
722  }
723 
724  /* If we're a non-exit, don't even do DNS lookups. */
726  return -1;
727 
728  if (address_is_invalid_destination(exitconn->base_.address, 0)) {
729  tor_log(LOG_PROTOCOL_WARN, LD_EXIT,
730  "Rejecting invalid destination address %s",
731  escaped_safe_str(exitconn->base_.address));
732  return -1;
733  }
734 
735  /* then take this opportunity to see if there are any expired
736  * resolves in the hash table. */
738 
739  /* lower-case exitconn->base_.address, so it's in canonical form */
740  tor_strlower(exitconn->base_.address);
741 
742  /* Check whether this is a reverse lookup. If it's malformed, or it's a
743  * .in-addr.arpa address but this isn't a resolve request, kill the
744  * connection.
745  */
746  if ((r = tor_addr_parse_PTR_name(&addr, exitconn->base_.address,
747  AF_UNSPEC, 0)) != 0) {
748  if (r == 1) {
749  is_reverse = 1;
750  if (tor_addr_is_internal(&addr, 0)) /* internal address? */
751  return -1;
752  }
753 
754  if (!is_reverse || !is_resolve) {
755  if (!is_reverse)
756  log_info(LD_EXIT, "Bad .in-addr.arpa address \"%s\"; sending error.",
757  escaped_safe_str(exitconn->base_.address));
758  else if (!is_resolve)
759  log_info(LD_EXIT,
760  "Attempt to connect to a .in-addr.arpa address \"%s\"; "
761  "sending error.",
762  escaped_safe_str(exitconn->base_.address));
763 
764  return -1;
765  }
766  //log_notice(LD_EXIT, "Looks like an address %s",
767  //exitconn->base_.address);
768  }
769  exitconn->is_reverse_dns_lookup = is_reverse;
770 
771  /* now check the hash table to see if 'address' is already there. */
772  strlcpy(search.address, exitconn->base_.address, sizeof(search.address));
773  resolve = HT_FIND(cache_map, &cache_root, &search);
774  if (resolve && resolve->expire > now) { /* already there */
775  switch (resolve->state) {
776  case CACHE_STATE_PENDING:
777  /* add us to the pending list */
778  pending_connection = tor_malloc_zero(
779  sizeof(pending_connection_t));
780  pending_connection->conn = exitconn;
781  pending_connection->next = resolve->pending_connections;
782  resolve->pending_connections = pending_connection;
783  *made_connection_pending_out = 1;
784  log_debug(LD_EXIT,"Connection (fd "TOR_SOCKET_T_FORMAT") waiting "
785  "for pending DNS resolve of %s", exitconn->base_.s,
786  escaped_safe_str(exitconn->base_.address));
787  return 0;
788  case CACHE_STATE_CACHED:
789  log_debug(LD_EXIT,"Connection (fd "TOR_SOCKET_T_FORMAT") found "
790  "cached answer for %s",
791  exitconn->base_.s,
792  escaped_safe_str(resolve->address));
793 
794  *resolve_out = resolve;
795 
796  return set_exitconn_info_from_resolve(exitconn, resolve, hostname_out);
797  case CACHE_STATE_DONE:
798  log_err(LD_BUG, "Found a 'DONE' dns resolve still in the cache.");
800  }
801  tor_assert(0);
802  }
803  tor_assert(!resolve);
804  /* not there, need to add it */
805  resolve = tor_malloc_zero(sizeof(cached_resolve_t));
806  resolve->magic = CACHED_RESOLVE_MAGIC;
807  resolve->state = CACHE_STATE_PENDING;
808  resolve->minheap_idx = -1;
809  strlcpy(resolve->address, exitconn->base_.address, sizeof(resolve->address));
810 
811  /* add this connection to the pending list */
812  pending_connection = tor_malloc_zero(sizeof(pending_connection_t));
813  pending_connection->conn = exitconn;
814  resolve->pending_connections = pending_connection;
815  *made_connection_pending_out = 1;
816 
817  /* Add this resolve to the cache and priority queue. */
818  HT_INSERT(cache_map, &cache_root, resolve);
819  set_expiry(resolve, now + RESOLVE_MAX_TIMEOUT);
820 
821  log_debug(LD_EXIT,"Launching %s.",
822  escaped_safe_str(exitconn->base_.address));
823  assert_cache_ok();
824 
825  return launch_resolve(resolve);
826 }
827 
828 /** Given an exit connection <b>exitconn</b>, and a cached_resolve_t
829  * <b>resolve</b> whose DNS lookups have all either succeeded or failed,
830  * update the appropriate fields (address_ttl and addr) of <b>exitconn</b>.
831  *
832  * The logic can be complicated here, since we might have launched both
833  * an A lookup and an AAAA lookup, and since either of those might have
834  * succeeded or failed, and since we want to answer a RESOLVE cell with
835  * a full answer but answer a BEGIN cell with whatever answer the client
836  * would accept <i>and</i> we could still connect to.
837  *
838  * If this is a reverse lookup, set *<b>hostname_out</b> to a newly allocated
839  * copy of the name resulting hostname.
840  *
841  * Return -2 on a transient error, -1 on a permenent error, and 1 on
842  * a successful lookup.
843  */
844 MOCK_IMPL(STATIC int,
846  const cached_resolve_t *resolve,
847  char **hostname_out))
848 {
849  int ipv4_ok, ipv6_ok, answer_with_ipv4, r;
850  uint32_t begincell_flags;
851  const int is_resolve = exitconn->base_.purpose == EXIT_PURPOSE_RESOLVE;
852  tor_assert(exitconn);
853  tor_assert(resolve);
854 
855  if (exitconn->is_reverse_dns_lookup) {
856  exitconn->address_ttl = resolve->ttl_hostname;
857  if (resolve->res_status_hostname == RES_STATUS_DONE_OK) {
858  *hostname_out = tor_strdup(resolve->result_ptr.hostname);
859  return 1;
860  } else {
861  return -1;
862  }
863  }
864 
865  /* If we're here then the connection wants one or either of ipv4, ipv6, and
866  * we can give it one or both. */
867  if (is_resolve) {
868  begincell_flags = BEGIN_FLAG_IPV6_OK;
869  } else {
870  begincell_flags = exitconn->begincell_flags;
871  }
872 
873  ipv4_ok = (resolve->res_status_ipv4 == RES_STATUS_DONE_OK) &&
874  ! (begincell_flags & BEGIN_FLAG_IPV4_NOT_OK);
875  ipv6_ok = (resolve->res_status_ipv6 == RES_STATUS_DONE_OK) &&
876  (begincell_flags & BEGIN_FLAG_IPV6_OK) &&
878 
879  /* Now decide which one to actually give. */
880  if (ipv4_ok && ipv6_ok && is_resolve) {
881  answer_with_ipv4 = 1;
882  } else if (ipv4_ok && ipv6_ok) {
883  /* If we have both, see if our exit policy has an opinion. */
884  const uint16_t port = exitconn->base_.port;
885  int ipv4_allowed, ipv6_allowed;
886  tor_addr_t a4, a6;
888  tor_addr_from_in6(&a6, &resolve->result_ipv6.addr_ipv6);
889  ipv4_allowed = !router_compare_to_my_exit_policy(&a4, port);
890  ipv6_allowed = !router_compare_to_my_exit_policy(&a6, port);
891  if (ipv4_allowed && !ipv6_allowed) {
892  answer_with_ipv4 = 1;
893  } else if (ipv6_allowed && !ipv4_allowed) {
894  answer_with_ipv4 = 0;
895  } else {
896  /* Our exit policy would permit both. Answer with whichever the user
897  * prefers */
898  answer_with_ipv4 = !(begincell_flags &
900  }
901  } else {
902  /* Otherwise if one is okay, send it back. */
903  if (ipv4_ok) {
904  answer_with_ipv4 = 1;
905  } else if (ipv6_ok) {
906  answer_with_ipv4 = 0;
907  } else {
908  /* Neither one was okay. Choose based on user preference. */
909  answer_with_ipv4 = !(begincell_flags &
911  }
912  }
913 
914  /* Finally, we write the answer back. */
915  r = 1;
916  if (answer_with_ipv4) {
917  if (resolve->res_status_ipv4 == RES_STATUS_DONE_OK) {
918  tor_addr_from_ipv4h(&exitconn->base_.addr,
919  resolve->result_ipv4.addr_ipv4);
920  } else {
921  r = evdns_err_is_transient(resolve->result_ipv4.err_ipv4) ? -2 : -1;
922  }
923 
924  exitconn->address_ttl = resolve->ttl_ipv4;
925  } else {
926  if (resolve->res_status_ipv6 == RES_STATUS_DONE_OK) {
927  tor_addr_from_in6(&exitconn->base_.addr,
928  &resolve->result_ipv6.addr_ipv6);
929  } else {
930  r = evdns_err_is_transient(resolve->result_ipv6.err_ipv6) ? -2 : -1;
931  }
932 
933  exitconn->address_ttl = resolve->ttl_ipv6;
934  }
935 
936  return r;
937 }
938 
939 /** Log an error and abort if conn is waiting for a DNS resolve.
940  */
941 void
943 {
944  pending_connection_t *pend;
945  cached_resolve_t search;
946 
947 #if 1
948  cached_resolve_t *resolve;
949  strlcpy(search.address, conn->base_.address, sizeof(search.address));
950  resolve = HT_FIND(cache_map, &cache_root, &search);
951  if (!resolve)
952  return;
953  for (pend = resolve->pending_connections; pend; pend = pend->next) {
954  tor_assert(pend->conn != conn);
955  }
956 #else /* !(1) */
957  cached_resolve_t **resolve;
958  HT_FOREACH(resolve, cache_map, &cache_root) {
959  for (pend = (*resolve)->pending_connections; pend; pend = pend->next) {
960  tor_assert(pend->conn != conn);
961  }
962  }
963 #endif /* 1 */
964 }
965 
966 /** Remove <b>conn</b> from the list of connections waiting for conn->address.
967  */
968 void
970 {
971  pending_connection_t *pend, *victim;
972  cached_resolve_t search;
973  cached_resolve_t *resolve;
974 
975  tor_assert(conn->base_.type == CONN_TYPE_EXIT);
977 
978  strlcpy(search.address, conn->base_.address, sizeof(search.address));
979 
980  resolve = HT_FIND(cache_map, &cache_root, &search);
981  if (!resolve) {
982  log_notice(LD_BUG, "Address %s is not pending. Dropping.",
983  escaped_safe_str(conn->base_.address));
984  return;
985  }
986 
988  assert_connection_ok(TO_CONN(conn),0);
989 
990  pend = resolve->pending_connections;
991 
992  if (pend->conn == conn) {
993  resolve->pending_connections = pend->next;
994  tor_free(pend);
995  log_debug(LD_EXIT, "First connection (fd "TOR_SOCKET_T_FORMAT") no "
996  "longer waiting for resolve of %s",
997  conn->base_.s,
998  escaped_safe_str(conn->base_.address));
999  return;
1000  } else {
1001  for ( ; pend->next; pend = pend->next) {
1002  if (pend->next->conn == conn) {
1003  victim = pend->next;
1004  pend->next = victim->next;
1005  tor_free(victim);
1006  log_debug(LD_EXIT,
1007  "Connection (fd "TOR_SOCKET_T_FORMAT") no longer waiting "
1008  "for resolve of %s",
1009  conn->base_.s, escaped_safe_str(conn->base_.address));
1010  return; /* more are pending */
1011  }
1012  }
1013  log_warn(LD_BUG, "Connection (fd "TOR_SOCKET_T_FORMAT") was not waiting "
1014  "for a resolve of %s, but we tried to remove it.",
1015  conn->base_.s, escaped_safe_str(conn->base_.address));
1016  }
1017 }
1018 
1019 /** Mark all connections waiting for <b>address</b> for close. Then cancel
1020  * the resolve for <b>address</b> itself, and remove any cached results for
1021  * <b>address</b> from the cache.
1022  */
1023 MOCK_IMPL(STATIC void,
1024 dns_cancel_pending_resolve,(const char *address))
1025 {
1026  pending_connection_t *pend;
1027  cached_resolve_t search;
1028  cached_resolve_t *resolve, *tmp;
1029  edge_connection_t *pendconn;
1030  circuit_t *circ;
1031 
1032  strlcpy(search.address, address, sizeof(search.address));
1033 
1034  resolve = HT_FIND(cache_map, &cache_root, &search);
1035  if (!resolve)
1036  return;
1037 
1038  if (resolve->state != CACHE_STATE_PENDING) {
1039  /* We can get into this state if we never actually created the pending
1040  * resolve, due to finding an earlier cached error or something. Just
1041  * ignore it. */
1042  if (resolve->pending_connections) {
1043  log_warn(LD_BUG,
1044  "Address %s is not pending but has pending connections!",
1045  escaped_safe_str(address));
1047  }
1048  return;
1049  }
1050 
1051  if (!resolve->pending_connections) {
1052  log_warn(LD_BUG,
1053  "Address %s is pending but has no pending connections!",
1054  escaped_safe_str(address));
1056  return;
1057  }
1058  tor_assert(resolve->pending_connections);
1059 
1060  /* mark all pending connections to fail */
1061  log_debug(LD_EXIT,
1062  "Failing all connections waiting on DNS resolve of %s",
1063  escaped_safe_str(address));
1064  while (resolve->pending_connections) {
1065  pend = resolve->pending_connections;
1066  pend->conn->base_.state = EXIT_CONN_STATE_RESOLVEFAILED;
1067  pendconn = pend->conn;
1068  assert_connection_ok(TO_CONN(pendconn), 0);
1069  tor_assert(!SOCKET_OK(pendconn->base_.s));
1070  if (!pendconn->base_.marked_for_close) {
1071  connection_edge_end(pendconn, END_STREAM_REASON_RESOLVEFAILED);
1072  }
1073  circ = circuit_get_by_edge_conn(pendconn);
1074  if (circ)
1075  circuit_detach_stream(circ, pendconn);
1076  if (!pendconn->base_.marked_for_close)
1077  connection_free_(TO_CONN(pendconn));
1078  resolve->pending_connections = pend->next;
1079  tor_free(pend);
1080  }
1081 
1082  tmp = HT_REMOVE(cache_map, &cache_root, resolve);
1083  if (tmp != resolve) {
1084  log_err(LD_BUG, "The cancelled resolve we purged didn't match any in"
1085  " the cache. Tried to purge %s (%p); instead got %s (%p).",
1086  resolve->address, (void*)resolve,
1087  tmp ? tmp->address : "NULL", (void*)tmp);
1088  }
1089  tor_assert(tmp == resolve);
1090 
1091  resolve->state = CACHE_STATE_DONE;
1092 }
1093 
1094 /** Return true iff <b>address</b> is one of the addresses we use to verify
1095  * that well-known sites aren't being hijacked by our DNS servers. */
1096 static inline int
1097 is_test_address(const char *address)
1098 {
1099  const or_options_t *options = get_options();
1100  return options->ServerDNSTestAddresses &&
1102 }
1103 
1104 /** Called on the OR side when the eventdns library tells us the outcome of a
1105  * single DNS resolve: remember the answer, and tell all pending connections
1106  * about the result of the lookup if the lookup is now done. (<b>address</b>
1107  * is a NUL-terminated string containing the address to look up;
1108  * <b>query_type</b> is one of DNS_{IPv4_A,IPv6_AAAA,PTR}; <b>dns_answer</b>
1109  * is DNS_OK or one of DNS_ERR_*, <b>addr</b> is an IPv4 or IPv6 address if we
1110  * got one; <b>hostname</b> is a hostname fora PTR request if we got one, and
1111  * <b>ttl</b> is the time-to-live of this answer, in seconds.)
1112  */
1113 static void
1114 dns_found_answer(const char *address, uint8_t query_type,
1115  int dns_answer,
1116  const tor_addr_t *addr,
1117  const char *hostname, uint32_t ttl)
1118 {
1119  cached_resolve_t search;
1120  cached_resolve_t *resolve;
1121 
1122  assert_cache_ok();
1123 
1124  strlcpy(search.address, address, sizeof(search.address));
1125 
1126  resolve = HT_FIND(cache_map, &cache_root, &search);
1127  if (!resolve) {
1128  int is_test_addr = is_test_address(address);
1129  if (!is_test_addr)
1130  log_info(LD_EXIT,"Resolved unasked address %s; ignoring.",
1131  escaped_safe_str(address));
1132  return;
1133  }
1134  assert_resolve_ok(resolve);
1135 
1136  if (resolve->state != CACHE_STATE_PENDING) {
1137  /* XXXX Maybe update addr? or check addr for consistency? Or let
1138  * VALID replace FAILED? */
1139  int is_test_addr = is_test_address(address);
1140  if (!is_test_addr)
1141  log_notice(LD_EXIT,
1142  "Resolved %s which was already resolved; ignoring",
1143  escaped_safe_str(address));
1144  tor_assert(resolve->pending_connections == NULL);
1145  return;
1146  }
1147 
1148  cached_resolve_add_answer(resolve, query_type, dns_answer,
1149  addr, hostname, ttl);
1150 
1151  if (cached_resolve_have_all_answers(resolve)) {
1152  inform_pending_connections(resolve);
1153 
1154  make_pending_resolve_cached(resolve);
1155  }
1156 }
1157 
1158 /** Given a pending cached_resolve_t that we just finished resolving,
1159  * inform every connection that was waiting for the outcome of that
1160  * resolution.
1161  *
1162  * Do this by sending a RELAY_RESOLVED cell (if the pending stream had sent us
1163  * RELAY_RESOLVE cell), or by launching an exit connection (if the pending
1164  * stream had send us a RELAY_BEGIN cell).
1165  */
1166 static void
1168 {
1169  pending_connection_t *pend;
1170  edge_connection_t *pendconn;
1171  int r;
1172 
1173  while (resolve->pending_connections) {
1174  char *hostname = NULL;
1175  pend = resolve->pending_connections;
1176  pendconn = pend->conn; /* don't pass complex things to the
1177  connection_mark_for_close macro */
1178  assert_connection_ok(TO_CONN(pendconn),time(NULL));
1179 
1180  if (pendconn->base_.marked_for_close) {
1181  /* prevent double-remove. */
1182  pendconn->base_.state = EXIT_CONN_STATE_RESOLVEFAILED;
1183  resolve->pending_connections = pend->next;
1184  tor_free(pend);
1185  continue;
1186  }
1187 
1188  r = set_exitconn_info_from_resolve(pendconn,
1189  resolve,
1190  &hostname);
1191 
1192  if (r < 0) {
1193  /* prevent double-remove. */
1194  pendconn->base_.state = EXIT_CONN_STATE_RESOLVEFAILED;
1195  if (pendconn->base_.purpose == EXIT_PURPOSE_CONNECT) {
1196  connection_edge_end(pendconn, END_STREAM_REASON_RESOLVEFAILED);
1197  /* This detach must happen after we send the end cell. */
1198  circuit_detach_stream(circuit_get_by_edge_conn(pendconn), pendconn);
1199  } else {
1200  send_resolved_cell(pendconn, r == -1 ?
1201  RESOLVED_TYPE_ERROR : RESOLVED_TYPE_ERROR_TRANSIENT,
1202  NULL);
1203  /* This detach must happen after we send the resolved cell. */
1204  circuit_detach_stream(circuit_get_by_edge_conn(pendconn), pendconn);
1205  }
1206  connection_free_(TO_CONN(pendconn));
1207  } else {
1208  circuit_t *circ;
1209  if (pendconn->base_.purpose == EXIT_PURPOSE_CONNECT) {
1210  /* prevent double-remove. */
1211  pend->conn->base_.state = EXIT_CONN_STATE_CONNECTING;
1212 
1213  circ = circuit_get_by_edge_conn(pend->conn);
1214  tor_assert(circ);
1215  tor_assert(!CIRCUIT_IS_ORIGIN(circ));
1216  /* unlink pend->conn from resolving_streams, */
1217  circuit_detach_stream(circ, pend->conn);
1218  /* and link it to n_streams */
1219  pend->conn->next_stream = TO_OR_CIRCUIT(circ)->n_streams;
1220  pend->conn->on_circuit = circ;
1221  TO_OR_CIRCUIT(circ)->n_streams = pend->conn;
1222 
1223  connection_exit_connect(pend->conn);
1224  } else {
1225  /* prevent double-remove. This isn't really an accurate state,
1226  * but it does the right thing. */
1227  pendconn->base_.state = EXIT_CONN_STATE_RESOLVEFAILED;
1228  if (pendconn->is_reverse_dns_lookup)
1229  send_resolved_hostname_cell(pendconn, hostname);
1230  else
1231  send_resolved_cell(pendconn, RESOLVED_TYPE_AUTO, resolve);
1232  circ = circuit_get_by_edge_conn(pendconn);
1233  tor_assert(circ);
1234  circuit_detach_stream(circ, pendconn);
1235  connection_free_(TO_CONN(pendconn));
1236  }
1237  }
1238  resolve->pending_connections = pend->next;
1239  tor_free(pend);
1240  tor_free(hostname);
1241  }
1242 }
1243 
1244 /** Remove a pending cached_resolve_t from the hashtable, and add a
1245  * corresponding cached cached_resolve_t.
1246  *
1247  * This function is only necessary because of the perversity of our
1248  * cache timeout code; see inline comment for ideas on eliminating it.
1249  **/
1250 static void
1252 {
1253  cached_resolve_t *removed;
1254 
1255  resolve->state = CACHE_STATE_DONE;
1256  removed = HT_REMOVE(cache_map, &cache_root, resolve);
1257  if (removed != resolve) {
1258  log_err(LD_BUG, "The pending resolve we found wasn't removable from"
1259  " the cache. Tried to purge %s (%p); instead got %s (%p).",
1260  resolve->address, (void*)resolve,
1261  removed ? removed->address : "NULL", (void*)removed);
1262  }
1263  assert_resolve_ok(resolve);
1264  assert_cache_ok();
1265  /* The resolve will eventually just hit the time-out in the expiry queue and
1266  * expire. See fd0bafb0dedc7e2 for a brief explanation of how this got that
1267  * way. XXXXX we could do better!*/
1268 
1269  {
1270  cached_resolve_t *new_resolve = tor_memdup(resolve,
1271  sizeof(cached_resolve_t));
1272  uint32_t ttl = UINT32_MAX;
1273  new_resolve->expire = 0; /* So that set_expiry won't croak. */
1274  if (resolve->res_status_hostname == RES_STATUS_DONE_OK)
1275  new_resolve->result_ptr.hostname =
1276  tor_strdup(resolve->result_ptr.hostname);
1277 
1278  new_resolve->state = CACHE_STATE_CACHED;
1279 
1280  assert_resolve_ok(new_resolve);
1281  HT_INSERT(cache_map, &cache_root, new_resolve);
1282 
1283  if ((resolve->res_status_ipv4 == RES_STATUS_DONE_OK ||
1284  resolve->res_status_ipv4 == RES_STATUS_DONE_ERR) &&
1285  resolve->ttl_ipv4 < ttl)
1286  ttl = resolve->ttl_ipv4;
1287 
1288  if ((resolve->res_status_ipv6 == RES_STATUS_DONE_OK ||
1289  resolve->res_status_ipv6 == RES_STATUS_DONE_ERR) &&
1290  resolve->ttl_ipv6 < ttl)
1291  ttl = resolve->ttl_ipv6;
1292 
1293  if ((resolve->res_status_hostname == RES_STATUS_DONE_OK ||
1294  resolve->res_status_hostname == RES_STATUS_DONE_ERR) &&
1295  resolve->ttl_hostname < ttl)
1296  ttl = resolve->ttl_hostname;
1297 
1298  set_expiry(new_resolve, time(NULL) + clip_dns_ttl(ttl));
1299  }
1300 
1301  assert_cache_ok();
1302 }
1303 
1304 /** Eventdns helper: return true iff the eventdns result <b>err</b> is
1305  * a transient failure. */
1306 static int
1308 {
1309  switch (err)
1310  {
1311  case DNS_ERR_SERVERFAILED:
1312  case DNS_ERR_TRUNCATED:
1313  case DNS_ERR_TIMEOUT:
1314  return 1;
1315  default:
1316  return 0;
1317  }
1318 }
1319 
1320 /**
1321  * Return number of configured nameservers in <b>the_evdns_base</b>.
1322  */
1323 size_t
1325 {
1326  return evdns_base_count_nameservers(the_evdns_base);
1327 }
1328 
1329 #ifdef HAVE_EVDNS_BASE_GET_NAMESERVER_ADDR
1330 /**
1331  * Return address of configured nameserver in <b>the_evdns_base</b>
1332  * at index <b>idx</b>.
1333  */
1334 tor_addr_t *
1335 configured_nameserver_address(const size_t idx)
1336 {
1337  struct sockaddr_storage sa;
1338  ev_socklen_t sa_len = sizeof(sa);
1339 
1340  if (evdns_base_get_nameserver_addr(the_evdns_base, (int)idx,
1341  (struct sockaddr *)&sa,
1342  sa_len) > 0) {
1343  tor_addr_t *tor_addr = tor_malloc(sizeof(tor_addr_t));
1344  if (tor_addr_from_sockaddr(tor_addr,
1345  (const struct sockaddr *)&sa,
1346  NULL) == 0) {
1347  return tor_addr;
1348  }
1349  tor_free(tor_addr);
1350  }
1351 
1352  return NULL;
1353 }
1354 #endif /* defined(HAVE_EVDNS_BASE_GET_NAMESERVER_ADDR) */
1355 
1356 /** Configure eventdns nameservers if force is true, or if the configuration
1357  * has changed since the last time we called this function, or if we failed on
1358  * our last attempt. On Unix, this reads from /etc/resolv.conf or
1359  * options->ServerDNSResolvConfFile; on Windows, this reads from
1360  * options->ServerDNSResolvConfFile or the registry. Return 0 on success or
1361  * -1 on failure. */
1362 static int
1364 {
1365  const or_options_t *options;
1366  const char *conf_fname;
1367  struct stat st;
1368  int r, flags;
1369  options = get_options();
1370  conf_fname = options->ServerDNSResolvConfFile;
1371 #ifndef _WIN32
1372  if (!conf_fname)
1373  conf_fname = "/etc/resolv.conf";
1374 #endif
1375  flags = DNS_OPTIONS_ALL;
1376 
1377  if (!the_evdns_base) {
1378  if (!(the_evdns_base = evdns_base_new(tor_libevent_get_base(), 0))) {
1379  log_err(LD_BUG, "Couldn't create an evdns_base");
1380  return -1;
1381  }
1382  }
1383 
1384  evdns_set_log_fn(evdns_log_cb);
1385  if (conf_fname) {
1386  log_debug(LD_FS, "stat()ing %s", conf_fname);
1387  int missing_resolv_conf = 0;
1388  int stat_res = stat(sandbox_intern_string(conf_fname), &st);
1389 
1390  if (stat_res) {
1391  log_warn(LD_EXIT, "Unable to stat resolver configuration in '%s': %s",
1392  conf_fname, strerror(errno));
1393  missing_resolv_conf = 1;
1394  } else if (!force && resolv_conf_fname &&
1395  !strcmp(conf_fname,resolv_conf_fname)
1396  && st.st_mtime == resolv_conf_mtime) {
1397  log_info(LD_EXIT, "No change to '%s'", conf_fname);
1398  return 0;
1399  }
1400 
1401  if (stat_res == 0 && st.st_size == 0)
1402  missing_resolv_conf = 1;
1403 
1404  if (nameservers_configured) {
1405  evdns_base_search_clear(the_evdns_base);
1406  evdns_base_clear_nameservers_and_suspend(the_evdns_base);
1407  }
1408 #if defined(DNS_OPTION_HOSTSFILE) && defined(USE_LIBSECCOMP)
1409  if (flags & DNS_OPTION_HOSTSFILE) {
1410  flags ^= DNS_OPTION_HOSTSFILE;
1411  log_debug(LD_FS, "Loading /etc/hosts");
1412  evdns_base_load_hosts(the_evdns_base,
1413  sandbox_intern_string("/etc/hosts"));
1414  }
1415 #endif /* defined(DNS_OPTION_HOSTSFILE) && defined(USE_LIBSECCOMP) */
1416 
1417  if (!missing_resolv_conf) {
1418  log_info(LD_EXIT, "Parsing resolver configuration in '%s'", conf_fname);
1419  if ((r = evdns_base_resolv_conf_parse(the_evdns_base, flags,
1420  sandbox_intern_string(conf_fname)))) {
1421  log_warn(LD_EXIT, "Unable to parse '%s', or no nameservers "
1422  "in '%s' (%d)", conf_fname, conf_fname, r);
1423 
1424  if (r != 6) // "r = 6" means "no DNS servers were in resolv.conf" -
1425  goto err; // in which case we expect libevent to add 127.0.0.1 as
1426  // fallback.
1427  }
1428  if (evdns_base_count_nameservers(the_evdns_base) == 0) {
1429  log_warn(LD_EXIT, "Unable to find any nameservers in '%s'.",
1430  conf_fname);
1431  }
1432 
1434  resolv_conf_fname = tor_strdup(conf_fname);
1435  resolv_conf_mtime = st.st_mtime;
1436  } else {
1437  log_warn(LD_EXIT, "Could not read your DNS config from '%s' - "
1438  "please investigate your DNS configuration. "
1439  "This is possibly a problem. Meanwhile, falling"
1440  " back to local DNS at 127.0.0.1.", conf_fname);
1441  evdns_base_nameserver_ip_add(the_evdns_base, "127.0.0.1");
1442  }
1443 
1445  evdns_base_resume(the_evdns_base);
1446  }
1447 #ifdef _WIN32
1448  else {
1449  if (nameservers_configured) {
1450  evdns_base_search_clear(the_evdns_base);
1451  evdns_base_clear_nameservers_and_suspend(the_evdns_base);
1452  }
1453  if (evdns_base_config_windows_nameservers(the_evdns_base)) {
1454  log_warn(LD_EXIT,"Could not config nameservers.");
1455  goto err;
1456  }
1457  if (evdns_base_count_nameservers(the_evdns_base) == 0) {
1458  log_warn(LD_EXIT, "Unable to find any platform nameservers in "
1459  "your Windows configuration.");
1460  goto err;
1461  }
1463  evdns_base_resume(the_evdns_base);
1465  resolv_conf_mtime = 0;
1466  }
1467 #endif /* defined(_WIN32) */
1468 
1469 #define SET(k,v) evdns_base_set_option(the_evdns_base, (k), (v))
1470 
1471  // If we only have one nameserver, it does not make sense to back off
1472  // from it for a timeout. Unfortunately, the value for max-timeouts is
1473  // currently clamped by libevent to 255, but it does not hurt to set
1474  // it higher in case libevent gets a patch for this. Higher-than-
1475  // default maximum of 3 with multiple nameservers to avoid spuriously
1476  // marking one down on bursts of timeouts resulting from scans/attacks
1477  // against non-responding authoritative DNS servers.
1478  if (evdns_base_count_nameservers(the_evdns_base) == 1) {
1479  SET("max-timeouts:", "1000000");
1480  } else {
1481  SET("max-timeouts:", "10");
1482  }
1483 
1484  // Elongate the queue of maximum inflight dns requests, so if a bunch
1485  // remain pending at the resolver (happens commonly with Unbound) we won't
1486  // stall every other DNS request. This potentially means some wasted
1487  // CPU as there's a walk over a linear queue involved, but this is a
1488  // much better tradeoff compared to just failing DNS requests because
1489  // of a full queue.
1490  SET("max-inflight:", "8192");
1491 
1492  // Two retries at 5 and 10 seconds for bind9/named which relies on
1493  // clients to handle retries. Second retry for retried circuits with
1494  // extended 15 second timeout. Superfluous with local-system Unbound
1495  // instance--has its own elaborate retry scheme.
1496  SET("timeout:", "5");
1497  SET("attempts:","3");
1498 
1499  if (options->ServerDNSRandomizeCase)
1500  SET("randomize-case:", "1");
1501  else
1502  SET("randomize-case:", "0");
1503 
1504 #undef SET
1505 
1507 
1511  /* XXX the three calls to republish the descriptor might be producing
1512  * descriptors that are only cosmetically different, especially on
1513  * non-exit relays! -RD */
1514  mark_my_descriptor_dirty("dns resolvers back");
1515  }
1516  return 0;
1517  err:
1519  if (! nameserver_config_failed) {
1521  mark_my_descriptor_dirty("dns resolvers failed");
1522  }
1523  return -1;
1524 }
1525 
1526 /** For eventdns: Called when we get an answer for a request we launched.
1527  * See eventdns.h for arguments; 'arg' holds the address we tried to resolve.
1528  */
1529 static void
1530 evdns_callback(int result, char type, int count, int ttl, void *addresses,
1531  void *arg)
1532 {
1533  char *arg_ = arg;
1534  uint8_t orig_query_type = arg_[0];
1535  char *string_address = arg_ + 1;
1536  tor_addr_t addr;
1537  const char *hostname = NULL;
1538  int was_wildcarded = 0;
1539 
1540  tor_addr_make_unspec(&addr);
1541 
1542  /* Note down any DNS errors to the statistics module */
1543  if (result == DNS_ERR_TIMEOUT) {
1544  /* libevent timed out while resolving a name. However, because libevent
1545  * handles retries and timeouts internally, this means that all attempts of
1546  * libevent timed out. If we wanted to get more granular information about
1547  * individual libevent attempts, we would have to implement our own DNS
1548  * timeout/retry logic */
1549  rep_hist_note_overload(OVERLOAD_GENERAL);
1550  }
1551 
1552  /* Keep track of whether IPv6 is working */
1553  if (type == DNS_IPv6_AAAA) {
1554  if (result == DNS_ERR_TIMEOUT) {
1555  ++n_ipv6_timeouts;
1556  }
1557 
1558  if (n_ipv6_timeouts > 10 &&
1559  n_ipv6_timeouts > n_ipv6_requests_made / 2) {
1560  if (! dns_is_broken_for_ipv6) {
1561  log_notice(LD_EXIT, "More than half of our IPv6 requests seem to "
1562  "have timed out. I'm going to assume I can't get AAAA "
1563  "responses.");
1564  dns_is_broken_for_ipv6 = 1;
1565  }
1566  }
1567  }
1568 
1569  if (result == DNS_ERR_NONE) {
1570  if (type == DNS_IPv4_A && count) {
1571  char answer_buf[INET_NTOA_BUF_LEN+1];
1572  char *escaped_address;
1573  uint32_t *addrs = addresses;
1574  tor_addr_from_ipv4n(&addr, addrs[0]);
1575 
1576  tor_addr_to_str(answer_buf, &addr, sizeof(answer_buf), 0);
1577  escaped_address = esc_for_log(string_address);
1578 
1579  if (answer_is_wildcarded(answer_buf)) {
1580  log_debug(LD_EXIT, "eventdns said that %s resolves to ISP-hijacked "
1581  "address %s; treating as a failure.",
1582  safe_str(escaped_address),
1583  escaped_safe_str(answer_buf));
1584  was_wildcarded = 1;
1585  tor_addr_make_unspec(&addr);
1586  result = DNS_ERR_NOTEXIST;
1587  } else {
1588  log_debug(LD_EXIT, "eventdns said that %s resolves to %s",
1589  safe_str(escaped_address),
1590  escaped_safe_str(answer_buf));
1591  }
1592  tor_free(escaped_address);
1593  } else if (type == DNS_IPv6_AAAA && count) {
1594  char answer_buf[TOR_ADDR_BUF_LEN];
1595  char *escaped_address;
1596  const char *ip_str;
1597  struct in6_addr *addrs = addresses;
1598  tor_addr_from_in6(&addr, &addrs[0]);
1599  ip_str = tor_inet_ntop(AF_INET6, &addrs[0], answer_buf,
1600  sizeof(answer_buf));
1601  escaped_address = esc_for_log(string_address);
1602 
1603  if (BUG(ip_str == NULL)) {
1604  log_warn(LD_EXIT, "tor_inet_ntop() failed!");
1605  result = DNS_ERR_NOTEXIST;
1606  } else if (answer_is_wildcarded(answer_buf)) {
1607  log_debug(LD_EXIT, "eventdns said that %s resolves to ISP-hijacked "
1608  "address %s; treating as a failure.",
1609  safe_str(escaped_address),
1610  escaped_safe_str(answer_buf));
1611  was_wildcarded = 1;
1612  tor_addr_make_unspec(&addr);
1613  result = DNS_ERR_NOTEXIST;
1614  } else {
1615  log_debug(LD_EXIT, "eventdns said that %s resolves to %s",
1616  safe_str(escaped_address),
1617  escaped_safe_str(answer_buf));
1618  }
1619  tor_free(escaped_address);
1620  } else if (type == DNS_PTR && count) {
1621  char *escaped_address;
1622  hostname = ((char**)addresses)[0];
1623  escaped_address = esc_for_log(string_address);
1624  log_debug(LD_EXIT, "eventdns said that %s resolves to %s",
1625  safe_str(escaped_address),
1626  escaped_safe_str(hostname));
1627  tor_free(escaped_address);
1628  } else if (count) {
1629  log_info(LD_EXIT, "eventdns returned only unrecognized answer types "
1630  " for %s.",
1631  escaped_safe_str(string_address));
1632  } else {
1633  log_info(LD_EXIT, "eventdns returned no addresses or error for %s.",
1634  escaped_safe_str(string_address));
1635  }
1636  }
1637  if (was_wildcarded) {
1638  if (is_test_address(string_address)) {
1639  /* Ick. We're getting redirected on known-good addresses. Our DNS
1640  * server must really hate us. */
1641  add_wildcarded_test_address(string_address);
1642  }
1643  }
1644 
1645  if (orig_query_type && type && orig_query_type != type) {
1646  log_warn(LD_BUG, "Weird; orig_query_type == %d but type == %d",
1647  (int)orig_query_type, (int)type);
1648  }
1649  if (result != DNS_ERR_SHUTDOWN)
1650  dns_found_answer(string_address, orig_query_type,
1651  result, &addr, hostname, ttl);
1652 
1653  /* The result can be changed within this function thus why we note the result
1654  * at the end. */
1655  rep_hist_note_dns_error(type, result);
1656 
1657  tor_free(arg_);
1658 }
1659 
1660 /** Start a single DNS resolve for <b>address</b> (if <b>query_type</b> is
1661  * DNS_IPv4_A or DNS_IPv6_AAAA) <b>ptr_address</b> (if <b>query_type</b> is
1662  * DNS_PTR). Return 0 if we launched the request, -1 otherwise. */
1663 static int
1664 launch_one_resolve(const char *address, uint8_t query_type,
1665  const tor_addr_t *ptr_address)
1666 {
1667  const int options = get_options()->ServerDNSSearchDomains ? 0
1668  : DNS_QUERY_NO_SEARCH;
1669  const size_t addr_len = strlen(address);
1670  struct evdns_request *req = 0;
1671  char *addr = tor_malloc(addr_len + 2);
1672  addr[0] = (char) query_type;
1673  memcpy(addr+1, address, addr_len + 1);
1674 
1675  /* Note the query for our statistics. */
1676  rep_hist_note_dns_request(query_type);
1677 
1678  switch (query_type) {
1679  case DNS_IPv4_A:
1680  req = evdns_base_resolve_ipv4(the_evdns_base,
1681  address, options, evdns_callback, addr);
1682  break;
1683  case DNS_IPv6_AAAA:
1684  req = evdns_base_resolve_ipv6(the_evdns_base,
1685  address, options, evdns_callback, addr);
1686  ++n_ipv6_requests_made;
1687  break;
1688  case DNS_PTR:
1689  if (tor_addr_family(ptr_address) == AF_INET)
1690  req = evdns_base_resolve_reverse(the_evdns_base,
1691  tor_addr_to_in(ptr_address),
1692  DNS_QUERY_NO_SEARCH,
1693  evdns_callback, addr);
1694  else if (tor_addr_family(ptr_address) == AF_INET6)
1695  req = evdns_base_resolve_reverse_ipv6(the_evdns_base,
1696  tor_addr_to_in6(ptr_address),
1697  DNS_QUERY_NO_SEARCH,
1698  evdns_callback, addr);
1699  else
1700  log_warn(LD_BUG, "Called with PTR query and unexpected address family");
1701  break;
1702  default:
1703  log_warn(LD_BUG, "Called with unexpected query type %d", (int)query_type);
1704  break;
1705  }
1706 
1707  if (req) {
1708  return 0;
1709  } else {
1710  tor_free(addr);
1711  return -1;
1712  }
1713 }
1714 
1715 /** For eventdns: start resolving as necessary to find the target for
1716  * <b>exitconn</b>. Returns -1 on error, -2 on transient error,
1717  * 0 on "resolve launched." */
1718 MOCK_IMPL(STATIC int,
1720 {
1721  tor_addr_t a;
1722  int r;
1723 
1724  if (net_is_disabled())
1725  return -1;
1726 
1727  /* What? Nameservers not configured? Sounds like a bug. */
1728  if (!nameservers_configured) {
1729  log_warn(LD_EXIT, "(Harmless.) Nameservers not configured, but resolve "
1730  "launched. Configuring.");
1731  if (configure_nameservers(1) < 0) {
1732  return -1;
1733  }
1734  }
1735 
1737  &a, resolve->address, AF_UNSPEC, 0);
1738 
1740  if (r == 0) {
1741  log_info(LD_EXIT, "Launching eventdns request for %s",
1742  escaped_safe_str(resolve->address));
1743  resolve->res_status_ipv4 = RES_STATUS_INFLIGHT;
1744  if (get_options()->IPv6Exit)
1745  resolve->res_status_ipv6 = RES_STATUS_INFLIGHT;
1746 
1747  if (launch_one_resolve(resolve->address, DNS_IPv4_A, NULL) < 0) {
1748  resolve->res_status_ipv4 = 0;
1749  r = -1;
1750  }
1751 
1752  if (r==0 && get_options()->IPv6Exit) {
1753  /* We ask for an IPv6 address for *everything*. */
1754  if (launch_one_resolve(resolve->address, DNS_IPv6_AAAA, NULL) < 0) {
1755  resolve->res_status_ipv6 = 0;
1756  r = -1;
1757  }
1758  }
1759  } else if (r == 1) {
1760  r = 0;
1761  log_info(LD_EXIT, "Launching eventdns reverse request for %s",
1762  escaped_safe_str(resolve->address));
1763  resolve->res_status_hostname = RES_STATUS_INFLIGHT;
1764  if (launch_one_resolve(resolve->address, DNS_PTR, &a) < 0) {
1765  resolve->res_status_hostname = 0;
1766  r = -1;
1767  }
1768  } else if (r == -1) {
1769  log_warn(LD_BUG, "Somehow a malformed in-addr.arpa address reached here.");
1770  }
1771 
1772  if (r < 0) {
1773  log_fn(LOG_PROTOCOL_WARN, LD_EXIT, "eventdns rejected address %s.",
1774  escaped_safe_str(resolve->address));
1775  }
1776  return r;
1777 }
1778 
1779 /** How many requests for bogus addresses have we launched so far? */
1780 static int n_wildcard_requests = 0;
1781 
1782 /** Map from dotted-quad IP address in response to an int holding how many
1783  * times we've seen it for a randomly generated (hopefully bogus) address. It
1784  * would be easier to use definitely-invalid addresses (as specified by
1785  * RFC2606), but see comment in dns_launch_wildcard_checks(). */
1786 static strmap_t *dns_wildcard_response_count = NULL;
1787 
1788 /** If present, a list of dotted-quad IP addresses that we are pretty sure our
1789  * nameserver wants to return in response to requests for nonexistent domains.
1790  */
1792 /** True iff we've logged about a single address getting wildcarded.
1793  * Subsequent warnings will be less severe. */
1795 /** True iff we've warned that our DNS server is wildcarding too many failures.
1796  */
1798 
1799 /** List of supposedly good addresses that are getting wildcarded to the
1800  * same addresses as nonexistent addresses. */
1802 /** True iff we've warned about a test address getting wildcarded */
1804 /** True iff all addresses seem to be getting wildcarded. */
1806 
1807 /** Called when we see <b>id</b> (a dotted quad or IPv6 address) in response
1808  * to a request for a hopefully bogus address. */
1809 static void
1811 {
1812  int *ip;
1814  dns_wildcard_response_count = strmap_new();
1815 
1816  ip = strmap_get(dns_wildcard_response_count, id); // may be null (0)
1817  if (!ip) {
1818  ip = tor_malloc_zero(sizeof(int));
1819  strmap_set(dns_wildcard_response_count, id, ip);
1820  }
1821  ++*ip;
1822 
1823  if (*ip > 5 && n_wildcard_requests > 10) {
1827  "Your DNS provider has given \"%s\" as an answer for %d different "
1828  "invalid addresses. Apparently they are hijacking DNS failures. "
1829  "I'll try to correct for this by treating future occurrences of "
1830  "\"%s\" as 'not found'.", id, *ip, id);
1832  }
1834  control_event_server_status(LOG_NOTICE, "DNS_HIJACKED");
1836  }
1837 }
1838 
1839 /** Note that a single test address (one believed to be good) seems to be
1840  * getting redirected to the same IP as failures are. */
1841 static void
1842 add_wildcarded_test_address(const char *address)
1843 {
1844  int n, n_test_addrs;
1847 
1849  address))
1850  return;
1851 
1852  n_test_addrs = get_options()->ServerDNSTestAddresses ?
1853  smartlist_len(get_options()->ServerDNSTestAddresses) : 0;
1854 
1856  n = smartlist_len(dns_wildcarded_test_address_list);
1857  if (n > n_test_addrs/2) {
1859  LD_EXIT, "Your DNS provider tried to redirect \"%s\" to a junk "
1860  "address. It has done this with %d test addresses so far. I'm "
1861  "going to stop being an exit node for now, since our DNS seems so "
1862  "broken.", address, n);
1865  mark_my_descriptor_dirty("dns hijacking confirmed");
1866  }
1868  control_event_server_status(LOG_WARN, "DNS_USELESS");
1870  }
1871 }
1872 
1873 /** Callback function when we get an answer (possibly failing) for a request
1874  * for a (hopefully) nonexistent domain. */
1875 static void
1876 evdns_wildcard_check_callback(int result, char type, int count, int ttl,
1877  void *addresses, void *arg)
1878 {
1879  (void)ttl;
1880  const char *ip_str;
1882  if (result == DNS_ERR_NONE && count) {
1883  char *string_address = arg;
1884  int i;
1885  if (type == DNS_IPv4_A) {
1886  const uint32_t *addrs = addresses;
1887  for (i = 0; i < count; ++i) {
1888  char answer_buf[INET_NTOA_BUF_LEN+1];
1889  struct in_addr in;
1890  int ntoa_res;
1891  in.s_addr = addrs[i];
1892  ntoa_res = tor_inet_ntoa(&in, answer_buf, sizeof(answer_buf));
1893  tor_assert_nonfatal(ntoa_res >= 0);
1894  if (ntoa_res > 0)
1895  wildcard_increment_answer(answer_buf);
1896  }
1897  } else if (type == DNS_IPv6_AAAA) {
1898  const struct in6_addr *addrs = addresses;
1899  for (i = 0; i < count; ++i) {
1900  char answer_buf[TOR_ADDR_BUF_LEN+1];
1901  ip_str = tor_inet_ntop(AF_INET6, &addrs[i], answer_buf,
1902  sizeof(answer_buf));
1903  tor_assert_nonfatal(ip_str);
1904  if (ip_str)
1905  wildcard_increment_answer(answer_buf);
1906  }
1907  }
1908 
1910  "Your DNS provider gave an answer for \"%s\", which "
1911  "is not supposed to exist. Apparently they are hijacking "
1912  "DNS failures. Trying to correct for this. We've noticed %d "
1913  "possibly bad address%s so far.",
1914  string_address, strmap_size(dns_wildcard_response_count),
1915  (strmap_size(dns_wildcard_response_count) == 1) ? "" : "es");
1917  }
1918  tor_free(arg);
1919 }
1920 
1921 /** Launch a single request for a nonexistent hostname consisting of between
1922  * <b>min_len</b> and <b>max_len</b> random (plausible) characters followed by
1923  * <b>suffix</b> */
1924 static void
1925 launch_wildcard_check(int min_len, int max_len, int is_ipv6,
1926  const char *suffix)
1927 {
1928  char *addr;
1929  struct evdns_request *req;
1930 
1931  addr = crypto_random_hostname(min_len, max_len, "", suffix);
1932  log_info(LD_EXIT, "Testing whether our DNS server is hijacking nonexistent "
1933  "domains with request for bogus hostname \"%s\"", addr);
1934 
1936  if (is_ipv6)
1937  req = evdns_base_resolve_ipv6(
1939  /* This "addr" tells us which address to resolve */
1940  addr,
1941  DNS_QUERY_NO_SEARCH, evdns_wildcard_check_callback,
1942  /* This "addr" is an argument to the callback*/ addr);
1943  else
1944  req = evdns_base_resolve_ipv4(
1946  /* This "addr" tells us which address to resolve */
1947  addr,
1948  DNS_QUERY_NO_SEARCH, evdns_wildcard_check_callback,
1949  /* This "addr" is an argument to the callback*/ addr);
1950  if (!req) {
1951  /* There is no evdns request in progress; stop addr from getting leaked */
1952  tor_free(addr);
1953  }
1954 }
1955 
1956 /** Launch attempts to resolve a bunch of known-good addresses (configured in
1957  * ServerDNSTestAddresses). [Callback for a libevent timer] */
1958 static void
1959 launch_test_addresses(evutil_socket_t fd, short event, void *args)
1960 {
1961  const or_options_t *options = get_options();
1962  (void)fd;
1963  (void)event;
1964  (void)args;
1965 
1966  if (net_is_disabled())
1967  return;
1968 
1969  log_info(LD_EXIT, "Launching checks to see whether our nameservers like to "
1970  "hijack *everything*.");
1971  /* This situation is worse than the failure-hijacking situation. When this
1972  * happens, we're no good for DNS requests at all, and we shouldn't really
1973  * be an exit server.*/
1974  if (options->ServerDNSTestAddresses) {
1975 
1978  const char *, address) {
1979  if (launch_one_resolve(address, DNS_IPv4_A, NULL) < 0) {
1980  log_info(LD_EXIT, "eventdns rejected test address %s",
1981  escaped_safe_str(address));
1982  }
1983 
1984  if (launch_one_resolve(address, DNS_IPv6_AAAA, NULL) < 0) {
1985  log_info(LD_EXIT, "eventdns rejected test address %s",
1986  escaped_safe_str(address));
1987  }
1988  } SMARTLIST_FOREACH_END(address);
1989  }
1990 }
1991 
1992 #define N_WILDCARD_CHECKS 2
1993 
1994 /** Launch DNS requests for a few nonexistent hostnames and a few well-known
1995  * hostnames, and see if we can catch our nameserver trying to hijack them and
1996  * map them to a stupid "I couldn't find ggoogle.com but maybe you'd like to
1997  * buy these lovely encyclopedias" page. */
1998 static void
2000 {
2001  int i, ipv6;
2002  log_info(LD_EXIT, "Launching checks to see whether our nameservers like "
2003  "to hijack DNS failures.");
2004  for (ipv6 = 0; ipv6 <= 1; ++ipv6) {
2005  for (i = 0; i < N_WILDCARD_CHECKS; ++i) {
2006  /* RFC2606 reserves these. Sadly, some DNS hijackers, in a silly
2007  * attempt to 'comply' with rfc2606, refrain from giving A records for
2008  * these. This is the standards-compliance equivalent of making sure
2009  * that your crackhouse's elevator inspection certificate is up to date.
2010  */
2011  launch_wildcard_check(2, 16, ipv6, ".invalid");
2012  launch_wildcard_check(2, 16, ipv6, ".test");
2013 
2014  /* These will break specs if there are ever any number of
2015  * 8+-character top-level domains. */
2016  launch_wildcard_check(8, 16, ipv6, "");
2017 
2018  /* Try some random .com/org/net domains. This will work fine so long as
2019  * not too many resolve to the same place. */
2020  launch_wildcard_check(8, 16, ipv6, ".com");
2021  launch_wildcard_check(8, 16, ipv6, ".org");
2022  launch_wildcard_check(8, 16, ipv6, ".net");
2023  }
2024  }
2025 }
2026 
2027 /** If appropriate, start testing whether our DNS servers tend to lie to
2028  * us. */
2029 void
2031 {
2032  static struct event *launch_event = NULL;
2033  struct timeval timeout;
2034  if (!get_options()->ServerDNSDetectHijacking)
2035  return;
2037 
2038  /* Wait a while before launching requests for test addresses, so we can
2039  * get the results from checking for wildcarding. */
2040  if (!launch_event)
2041  launch_event = tor_evtimer_new(tor_libevent_get_base(),
2042  launch_test_addresses, NULL);
2043  timeout.tv_sec = 30;
2044  timeout.tv_usec = 0;
2045  if (evtimer_add(launch_event, &timeout) < 0) {
2046  log_warn(LD_BUG, "Couldn't add timer for checking for dns hijacking");
2047  }
2048 }
2049 
2050 /** Return true iff our DNS servers lie to us too much to be trusted. */
2051 int
2053 {
2055 }
2056 
2057 /** Return true iff we think that IPv6 hostname lookup is broken */
2058 int
2060 {
2061  return dns_is_broken_for_ipv6;
2062 }
2063 
2064 /** Forget what we've previously learned about our DNS servers' correctness. */
2065 void
2067 {
2068  strmap_free(dns_wildcard_response_count, tor_free_);
2070 
2071  n_wildcard_requests = 0;
2072 
2073  n_ipv6_requests_made = n_ipv6_timeouts = 0;
2074 
2075  if (dns_wildcard_list) {
2076  SMARTLIST_FOREACH(dns_wildcard_list, char *, cp, tor_free(cp));
2078  }
2081  tor_free(cp));
2083  }
2086  dns_is_broken_for_ipv6 = 0;
2087 }
2088 
2089 /** Return true iff we have noticed that the dotted-quad <b>ip</b> has been
2090  * returned in response to requests for nonexistent hostnames. */
2091 static int
2092 answer_is_wildcarded(const char *ip)
2093 {
2095 }
2096 
2097 /** Exit with an assertion if <b>resolve</b> is corrupt. */
2098 static void
2100 {
2101  tor_assert(resolve);
2102  tor_assert(resolve->magic == CACHED_RESOLVE_MAGIC);
2103  tor_assert(strlen(resolve->address) < MAX_ADDRESSLEN);
2105  if (resolve->state != CACHE_STATE_PENDING) {
2106  tor_assert(!resolve->pending_connections);
2107  }
2108  if (resolve->state == CACHE_STATE_PENDING ||
2109  resolve->state == CACHE_STATE_DONE) {
2110 #if 0
2111  tor_assert(!resolve->ttl);
2112  if (resolve->is_reverse)
2113  tor_assert(!resolve->hostname);
2114  else
2115  tor_assert(!resolve->result_ipv4.addr_ipv4);
2116 #endif /* 0 */
2117  /*XXXXX ADD MORE */
2118  }
2119 }
2120 
2121 /** Return the number of DNS cache entries as an int */
2122 static int
2124 {
2125  return HT_SIZE(&cache_root);
2126 }
2127 
2128 /* Return the total size in bytes of the DNS cache. */
2129 size_t
2130 dns_cache_total_allocation(void)
2131 {
2132  return sizeof(struct cached_resolve_t) * dns_cache_entry_count() +
2133  HT_MEM_USAGE(&cache_root);
2134 }
2135 
2136 /** Log memory information about our internal DNS cache at level 'severity'. */
2137 void
2138 dump_dns_mem_usage(int severity)
2139 {
2140  /* This should never be larger than INT_MAX. */
2141  int hash_count = dns_cache_entry_count();
2142  size_t hash_mem = dns_cache_total_allocation();
2143 
2144  /* Print out the count and estimated size of our &cache_root. It undercounts
2145  hostnames in cached reverse resolves.
2146  */
2147  tor_log(severity, LD_MM, "Our DNS cache has %d entries.", hash_count);
2148  tor_log(severity, LD_MM, "Our DNS cache size is approximately %u bytes.",
2149  (unsigned)hash_mem);
2150 }
2151 
2152 /* Do a round of OOM cleanup on all DNS entries. Return the amount of removed
2153  * bytes. It is possible that the returned value is lower than min_remove_bytes
2154  * if the caches get emptied out so the caller should be aware of this. */
2155 size_t
2156 dns_cache_handle_oom(time_t now, size_t min_remove_bytes)
2157 {
2158  time_t time_inc = 0;
2159  size_t total_bytes_removed = 0;
2160  size_t current_size = dns_cache_total_allocation();
2161 
2162  do {
2163  /* If no DNS entries left, break loop. */
2164  if (!dns_cache_entry_count())
2165  break;
2166 
2167  /* Get cutoff interval and remove entries. */
2168  time_t cutoff = now + time_inc;
2169  purge_expired_resolves(cutoff);
2170 
2171  /* Update amount of bytes removed and array size. */
2172  size_t bytes_removed = current_size - dns_cache_total_allocation();
2173  current_size -= bytes_removed;
2174  total_bytes_removed += bytes_removed;
2175 
2176  /* Increase time_inc by a reasonable fraction. */
2177  time_inc += (MAX_DNS_TTL / 4);
2178  } while (total_bytes_removed < min_remove_bytes);
2179 
2180  return total_bytes_removed;
2181 }
2182 
2183 #ifdef DEBUG_DNS_CACHE
2184 /** Exit with an assertion if the DNS cache is corrupt. */
2185 static void
2186 assert_cache_ok_(void)
2187 {
2188  cached_resolve_t **resolve;
2189  int bad_rep = HT_REP_IS_BAD_(cache_map, &cache_root);
2190  if (bad_rep) {
2191  log_err(LD_BUG, "Bad rep type %d on dns cache hash table", bad_rep);
2192  tor_assert(!bad_rep);
2193  }
2194 
2195  HT_FOREACH(resolve, cache_map, &cache_root) {
2196  assert_resolve_ok(*resolve);
2197  tor_assert((*resolve)->state != CACHE_STATE_DONE);
2198  }
2199  if (!cached_resolve_pqueue)
2200  return;
2201 
2204  offsetof(cached_resolve_t, minheap_idx));
2205 
2207  {
2208  if (res->state == CACHE_STATE_DONE) {
2209  cached_resolve_t *found = HT_FIND(cache_map, &cache_root, res);
2210  tor_assert(!found || found != res);
2211  } else {
2212  cached_resolve_t *found = HT_FIND(cache_map, &cache_root, res);
2213  tor_assert(found);
2214  }
2215  });
2216 }
2217 
2218 #endif /* defined(DEBUG_DNS_CACHE) */
2219 
2221 dns_get_cache_entry(cached_resolve_t *query)
2222 {
2223  return HT_FIND(cache_map, &cache_root, query);
2224 }
2225 
2226 void
2227 dns_insert_cache_entry(cached_resolve_t *new_entry)
2228 {
2229  HT_INSERT(cache_map, &cache_root, new_entry);
2230 }
void tor_addr_copy(tor_addr_t *dest, const tor_addr_t *src)
Definition: address.c:933
void tor_addr_from_ipv4n(tor_addr_t *dest, uint32_t v4addr)
Definition: address.c:889
void tor_addr_make_unspec(tor_addr_t *a)
Definition: address.c:225
const char * tor_addr_to_str(char *dest, const tor_addr_t *addr, size_t len, int decorate)
Definition: address.c:328
int tor_addr_parse(tor_addr_t *addr, const char *src)
Definition: address.c:1349
int tor_addr_parse_PTR_name(tor_addr_t *result, const char *address, int family, int accept_regular)
Definition: address.c:380
void tor_addr_from_in6(tor_addr_t *dest, const struct in6_addr *in6)
Definition: address.c:911
int tor_addr_from_sockaddr(tor_addr_t *a, const struct sockaddr *sa, uint16_t *port_out)
Definition: address.c:165
static const struct in_addr * tor_addr_to_in(const tor_addr_t *a)
Definition: address.h:204
static sa_family_t tor_addr_family(const tor_addr_t *a)
Definition: address.h:187
static uint32_t tor_addr_to_ipv4h(const tor_addr_t *a)
Definition: address.h:160
static const struct in6_addr * tor_addr_to_in6(const tor_addr_t *a)
Definition: address.h:117
#define tor_addr_from_ipv4h(dest, v4addr)
Definition: address.h:327
#define TOR_ADDR_BUF_LEN
Definition: address.h:224
static void set_uint32(void *cp, uint32_t v)
Definition: bytes.h:87
circuit_t * circuit_get_by_edge_conn(edge_connection_t *conn)
Definition: circuitlist.c:1571
or_circuit_t * TO_OR_CIRCUIT(circuit_t *x)
Definition: circuitlist.c:154
Header file for circuitlist.c.
#define CIRCUIT_IS_ORIGIN(c)
Definition: circuitlist.h:147
void circuit_detach_stream(circuit_t *circ, edge_connection_t *conn)
Definition: circuituse.c:1379
Header file for circuituse.c.
struct event_base * tor_libevent_get_base(void)
Header for compat_libevent.c.
const or_options_t * get_options(void)
Definition: config.c:919
const char * escaped_safe_str(const char *address)
Definition: config.c:1122
Header file for config.c.
void assert_connection_ok(connection_t *conn, time_t now)
Definition: connection.c:5570
void connection_free_(connection_t *conn)
Definition: connection.c:960
Header file for connection.c.
#define CONN_TYPE_EXIT
Definition: connection.h:46
void connection_exit_connect(edge_connection_t *edge_conn)
uint32_t clip_dns_ttl(uint32_t ttl)
int connection_edge_end(edge_connection_t *conn, uint8_t reason)
Header file for connection_edge.c.
#define EXIT_CONN_STATE_CONNECTING
int address_is_invalid_destination(const char *address, int client)
Definition: addressmap.c:1082
#define BEGIN_FLAG_IPV6_PREFERRED
#define EXIT_CONN_STATE_RESOLVEFAILED
#define EXIT_PURPOSE_CONNECT
#define BEGIN_FLAG_IPV4_NOT_OK
#define EXIT_CONN_STATE_RESOLVING
#define DEFAULT_DNS_TTL
#define BEGIN_FLAG_IPV6_OK
#define EXIT_PURPOSE_RESOLVE
#define MAX_DNS_TTL
int control_event_server_status(int severity, const char *format,...)
Header file for control_events.c.
char * crypto_random_hostname(int min_rand_len, int max_rand_len, const char *prefix, const char *suffix)
Definition: crypto_rand.c:552
Common functions for using (pseudo-)random number generators.
static int dns_wildcard_notice_given
Definition: dns.c:1797
STATIC int set_exitconn_info_from_resolve(edge_connection_t *exitconn, const cached_resolve_t *resolve, char **hostname_out)
Definition: dns.c:847
static int dns_wildcard_one_notice_given
Definition: dns.c:1794
static int nameservers_configured
Definition: dns.c:91
int dns_init(void)
Definition: dns.c:217
static unsigned int cached_resolve_hash(cached_resolve_t *a)
Definition: dns.c:144
static void add_wildcarded_test_address(const char *address)
Definition: dns.c:1842
static int nameserver_config_failed
Definition: dns.c:93
static void dns_launch_wildcard_checks(void)
Definition: dns.c:1999
static void assert_resolve_ok(cached_resolve_t *resolve)
Definition: dns.c:2099
static char * resolv_conf_fname
Definition: dns.c:96
static int dns_cache_entry_count(void)
Definition: dns.c:2123
int dns_seems_to_be_broken(void)
Definition: dns.c:2052
STATIC void send_resolved_cell(edge_connection_t *conn, uint8_t answer_type, const cached_resolve_t *resolved)
Definition: dns.c:493
void dns_reset_correctness_checks(void)
Definition: dns.c:2066
STATIC void send_resolved_hostname_cell(edge_connection_t *conn, const char *hostname)
Definition: dns.c:560
static int n_wildcard_requests
Definition: dns.c:1780
static void init_cache_map(void)
Definition: dns.c:156
static struct evdns_base * the_evdns_base
Definition: dns.c:88
static void evdns_callback(int result, char type, int count, int ttl, void *addresses, void *arg)
Definition: dns.c:1530
static int configure_nameservers(int force)
Definition: dns.c:1363
static void inform_pending_connections(cached_resolve_t *resolve)
Definition: dns.c:1167
static smartlist_t * dns_wildcard_list
Definition: dns.c:1791
static void evdns_wildcard_check_callback(int result, char type, int count, int ttl, void *addresses, void *arg)
Definition: dns.c:1876
#define RESOLVE_MAX_TIMEOUT
Definition: dns.c:85
static void purge_expired_resolves(time_t now)
Definition: dns.c:401
STATIC void dns_cancel_pending_resolve(const char *address)
Definition: dns.c:1024
static int evdns_err_is_transient(int err)
Definition: dns.c:1307
size_t number_of_configured_nameservers(void)
Definition: dns.c:1324
void connection_dns_remove(edge_connection_t *conn)
Definition: dns.c:969
static smartlist_t * dns_wildcarded_test_address_list
Definition: dns.c:1801
int has_dns_init_failed(void)
Definition: dns.c:258
static int dns_is_completely_invalid
Definition: dns.c:1805
void dump_dns_mem_usage(int severity)
Definition: dns.c:2138
static void free_cached_resolve_(cached_resolve_t *r)
Definition: dns.c:265
void dns_free_all(void)
Definition: dns.c:376
STATIC int dns_resolve_impl(edge_connection_t *exitconn, int is_resolve, or_circuit_t *oncirc, char **hostname_out, int *made_connection_pending_out, cached_resolve_t **resolve_out)
Definition: dns.c:695
static void launch_test_addresses(evutil_socket_t fd, short event, void *args)
Definition: dns.c:1959
static int dns_wildcarded_test_address_notice_given
Definition: dns.c:1803
static int launch_one_resolve(const char *address, uint8_t query_type, const tor_addr_t *ptr_address)
Definition: dns.c:1664
static void evdns_log_cb(int warn, const char *msg)
Definition: dns.c:163
static int answer_is_wildcarded(const char *ip)
Definition: dns.c:2092
STATIC int launch_resolve(cached_resolve_t *resolve)
Definition: dns.c:1719
int dns_seems_to_be_broken_for_ipv6(void)
Definition: dns.c:2059
int dns_resolve(edge_connection_t *exitconn)
Definition: dns.c:610
static strmap_t * dns_wildcard_response_count
Definition: dns.c:1786
static time_t resolv_conf_mtime
Definition: dns.c:99
int dns_reset(void)
Definition: dns.c:230
static void launch_wildcard_check(int min_len, int max_len, int is_ipv6, const char *suffix)
Definition: dns.c:1925
static int is_test_address(const char *address)
Definition: dns.c:1097
static int compare_cached_resolves_by_expiry_(const void *_a, const void *_b)
Definition: dns.c:284
static void make_pending_resolve_cached(cached_resolve_t *cached)
Definition: dns.c:1251
void dns_launch_correctness_checks(void)
Definition: dns.c:2030
static smartlist_t * cached_resolve_pqueue
Definition: dns.c:297
static int cached_resolve_have_all_answers(const cached_resolve_t *resolve)
Definition: dns.c:352
static void set_expiry(cached_resolve_t *resolve, time_t expires)
Definition: dns.c:362
static void dns_found_answer(const char *address, uint8_t query_type, int dns_answer, const tor_addr_t *addr, const char *hostname, uint32_t ttl)
Definition: dns.c:1114
static HT_HEAD(cache_map, cached_resolve_t)
Definition: dns.c:123
void assert_connection_edge_not_dns_pending(edge_connection_t *conn)
Definition: dns.c:942
static void wildcard_increment_answer(const char *id)
Definition: dns.c:1810
Header file for dns.c.
#define CACHE_STATE_PENDING
Definition: dns_structs.h:38
#define RES_STATUS_DONE_OK
Definition: dns_structs.h:53
#define MAX_ADDRESSLEN
Definition: dns_structs.h:19
#define CACHED_RESOLVE_MAGIC
Definition: dns_structs.h:29
#define CACHE_STATE_CACHED
Definition: dns_structs.h:45
#define RES_STATUS_DONE_ERR
Definition: dns_structs.h:55
#define RES_STATUS_INFLIGHT
Definition: dns_structs.h:51
#define CACHE_STATE_DONE
Definition: dns_structs.h:42
Edge-connection structure.
const char * escaped(const char *s)
Definition: escape.c:126
char * esc_for_log(const char *s)
Definition: escape.c:30
HT_PROTOTYPE(hs_circuitmap_ht, circuit_t, hs_circuitmap_node, hs_circuit_hash_token, hs_circuits_have_same_token)
int tor_inet_ntoa(const struct in_addr *in, char *buf, size_t buf_len)
Definition: inaddr.c:79
const char * tor_inet_ntop(int af, const void *src, char *dst, size_t len)
Definition: inaddr.c:98
#define INET_NTOA_BUF_LEN
Definition: inaddr.h:21
void tor_log(int severity, log_domain_mask_t domain, const char *format,...)
Definition: log.c:590
#define log_fn(severity, domain, args,...)
Definition: log.h:283
#define log_fn_ratelim(ratelim, severity, domain, args,...)
Definition: log.h:288
#define LD_MM
Definition: log.h:74
#define LD_FS
Definition: log.h:70
#define LD_BUG
Definition: log.h:86
#define LOG_NOTICE
Definition: log.h:50
#define LOG_WARN
Definition: log.h:53
#define LOG_INFO
Definition: log.h:45
void dns_servers_relaunch_checks(void)
Definition: mainloop.c:2320
Header file for mainloop.c.
void tor_free_(void *mem)
Definition: malloc.c:227
void * tor_reallocarray_(void *ptr, size_t sz1, size_t sz2)
Definition: malloc.c:146
#define tor_free(p)
Definition: malloc.h:52
int net_is_disabled(void)
Definition: netstatus.c:25
Header for netstatus.c.
#define SOCKET_OK(s)
Definition: nettypes.h:39
Master header file for Tor-specific functionality.
#define RELAY_PAYLOAD_SIZE
Definition: or.h:486
#define TO_CONN(c)
Definition: or.h:616
Header file for policies.c.
int connection_edge_send_command(edge_connection_t *fromconn, uint8_t relay_command, const char *payload, size_t payload_len)
Definition: relay.c:732
Header file for relay.c.
void rep_hist_note_dns_error(int type, uint8_t error)
Definition: rephist.c:325
void rep_hist_note_dns_request(int type)
Definition: rephist.c:377
void rep_hist_note_overload(overload_type_t overload)
Definition: rephist.c:484
Header file for rephist.c.
int router_compare_to_my_exit_policy(const tor_addr_t *addr, uint16_t port)
Definition: router.c:1692
void mark_my_descriptor_dirty(const char *reason)
Definition: router.c:2569
int router_my_exit_policy_is_reject_star(void)
Definition: router.c:1727
Header file for router.c.
int server_mode(const or_options_t *options)
Definition: routermode.c:34
Header file for routermode.c.
Header file for sandbox.c.
#define sandbox_intern_string(s)
Definition: sandbox.h:110
void smartlist_pqueue_assert_ok(smartlist_t *sl, int(*compare)(const void *a, const void *b), ptrdiff_t idx_field_offset)
Definition: smartlist.c:803
int smartlist_contains_string_case(const smartlist_t *sl, const char *element)
Definition: smartlist.c:133
void smartlist_pqueue_add(smartlist_t *sl, int(*compare)(const void *a, const void *b), ptrdiff_t idx_field_offset, void *item)
Definition: smartlist.c:726
int smartlist_contains_string(const smartlist_t *sl, const char *element)
Definition: smartlist.c:93
void * smartlist_pqueue_pop(smartlist_t *sl, int(*compare)(const void *a, const void *b), ptrdiff_t idx_field_offset)
Definition: smartlist.c:755
smartlist_t * smartlist_new(void)
void smartlist_add_strdup(struct smartlist_t *sl, const char *string)
void smartlist_clear(smartlist_t *sl)
#define SMARTLIST_FOREACH_BEGIN(sl, type, var)
#define SMARTLIST_FOREACH(sl, type, var, cmd)
struct in6_addr addr_ipv6
Definition: dns_structs.h:73
uint32_t magic
Definition: dns_structs.h:64
uint32_t addr_ipv4
Definition: dns_structs.h:68
uint32_t ttl_ipv6
Definition: dns_structs.h:95
union cached_resolve_t::@18 result_ipv4
char address[MAX_ADDRESSLEN]
Definition: dns_structs.h:65
uint32_t ttl_ipv4
Definition: dns_structs.h:94
uint32_t ttl_hostname
Definition: dns_structs.h:96
pending_connection_t * pending_connections
Definition: dns_structs.h:98
union cached_resolve_t::@19 result_ipv6
uint8_t state
Definition: connection_st.h:49
unsigned int type
Definition: connection_st.h:50
uint16_t marked_for_close
uint16_t port
unsigned int purpose
Definition: connection_st.h:51
tor_socket_t s
Definition: connection_st.h:96
tor_addr_t addr
unsigned int is_reverse_dns_lookup
struct edge_connection_t * next_stream
struct circuit_t * on_circuit
edge_connection_t * resolving_streams
Definition: or_circuit_st.h:42
edge_connection_t * n_streams
Definition: or_circuit_st.h:39
char * ServerDNSResolvConfFile
struct smartlist_t * ServerDNSTestAddresses
int ServerDNSSearchDomains
int ServerDNSRandomizeCase
#define STATIC
Definition: testsupport.h:32
#define MOCK_IMPL(rv, funcname, arglist)
Definition: testsupport.h:133
#define tor_assert(expr)
Definition: util_bug.h:102
#define tor_fragile_assert()
Definition: util_bug.h:270
void tor_strlower(char *s)
Definition: util_string.c:127
int strcmpstart(const char *s1, const char *s2)
Definition: util_string.c:215
int tor_strisnonupper(const char *s)
Definition: util_string.c:171